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[57] ABSTRACT 

A combined remote access and security system for servicing 
a secure mainframe central "processing unit Having a console 
monitor. A secure dispatch central processing unit for receiv- 
ing problem reports concerning the mainframe central pro- 
cessing unit Ls in communication with the console monitor. 
A field engineer's central processing unit is in communica- 
tion with the dispatch central processing unit. A data encryp- 
tion key is randomly generated and transmitted from the 
dispatch central processing unit to both the field engineer's 
central processing unit and the console monitor. The field 
engineer centra! processing unit is in communication with 
the mainframe central processing unit wherein data trans- 
mitted from the field engineer's central processing unit is 
encrypted and wherein the encrypted data is decrypted at the 
mainframe console monitor. 

12 Claims, 15 Drawing Sheets 
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COMBINED REMOTE ACCESS AND the field engineer. For example, a disgruntled remote support 

SECURITY SYSTEM person or field engineer with wide access to the mainframe 

computer system could cause considerable problems. 

This is a continuation-in-part of U.S. patent application With both the dispatch control center and the support 

Ser. No. 08/752,249, filed Nov. 19, 1996, and entitled 5 person at remote locations from the mainframe computer 

COMBINED REMOTE ACCESS AND SECURITY SYS- center, the channels of communication are important. While 

TEM. secure transmission lines arc possible to establish, these are 

expensive over long distances. Additionally, the support 

BACKGROUND OF TOE INVENTION person may be mobile. 

1. Field of the Invention The development of personal computers, modems 

The present invention relates to a ^v<;i.m th.t w fn prnviHe. (modulator/demodulator devices) and data connections has 

remote access to allow servicing of a mainframe computer ^"0^^^ ^^e growth of many types of computer networks. 

^ite while at the same time providing for security and ^^^^ 1°*^^"^*' ^ somewhat public network of networks, has 

integrity of the mainframe computer installation. In .5 become an mcreasmgly useful pathway for computer com- 

particular, the present invention is directed to a system mumcation. There is, however, a concern about the security 

wherein service and maintenance of the mainframe com- integrity of the Internet pathways. 

puter system is controlled and monitored from a remote One solution to security on the Internet has been the 

location and service on the mainframe computer system may encryption of data to be transmitted. One type of encryption 

be performed by a remote support person at a further remote ^ ^"^S^^ "^^y" ^^^^^ sender and recipient must keep 

location. secret. Another type of popular encryption uses "public- 

2 Prior Art private keys." The first is a public key made available to 

^ , . anyone. The second is a "secret key" which the user must not 

Current mainframe processing environments use an „ , . t-u ui ,1 - . 1 1 

, ,. * ^ , , allow anyone else to see. The pubhc and private keys work 

operator console to display messages about the system. • * j if*u .1 • * j * * 

^ - jj .1 tandem. If the secret key is stored on a computer system. 

These messages are monitored and any problems are noted. 25 1 ui r ^ 

„ 1 . . i_ • • ... it IS, however, vulnerable. 
Programmers and other technicians may then become 

involved in solving a problem. The problem may be beyond ^^^^ ^^'^""'y ^^"^ concerns may also exist on 

the operations staff's ability to handle. corporate intranets and private networks. 

Tlie mainframe computer system may be serviced and Accordingly the present invention is directed to an 

monitored from a remote location. Remote support of main- ^ arrangement where a mainframe or mamtrames are secured 

frame computer installations is becoming increasingly ^' » cus">mer site and wired to a personal computer with 

important. This includes both remote monitoring and service software for console monitonng. TTie console monitor is m 

support of mainframe computer systems. Businesses have communication with a s ecure dispatch control center loca- 

been established which are capable of monitoring and main- Hon. t he dispatch control center, upon bemg alerted of a 

laining a wide variety of mainframe computer installations. ^5 problem, wiU contact a support person to diagnose and solve 

_ .... . . , f J • t he particular problem . A data encryption key is randomly 

From lime to time, when problems are found, it is generated and transmitted from the dispatch control center to 

necessary ror a tecnn.cian neia eiigineer. or remote support g^,^ ^^^^^ 

processine unit and to the 

person to have access to the mamframe computer system. A ^^^^^^ ,^ mainframe. 

technician or field engineer can work on the problems on Site • r • ^ . • 

at the mainframe installation. With high speed, broad band ^» ^ ^ further object and purpose of the present mvention 

communications, it is possible for a remote support person P^^^^^^ ^ '^^^^^ ^^^^^s and security system using data 

or field engineer to diagnose and solve mainframe computer encryption keys wherein a data encryption key is never 

problems from a remote location by communication from a transmitted or sent between the remote support person^s 

personal computer. Accordingly, the remote support person processing unit and the mamframe mstallation. 

or field engineer may be at any location. These technicians SUMMARY OF 'IHE INVEN^HON 
arc increasingly specialized and require wide access to the 

mainframe computer installation. In a combined remote access and security system of the 

Moreover, it is increasingly a trend for employees, includ- present invention, a single ma inframe or multiple main- 

ing those at mainframe computer installations, to work from 5^ frames are located at a seWrc location.'Thc mainframe or 

their homes on personal computers. In this case, the employ- mainfrairies are coniiected tp a console monitor centra l 

ees' home computers must be connected to the mainframe prnccRsinp ipit ihmnph a coax or twinax connection, 

computer installations. The console is used to display status messages about the 

At the same time, the computer mainframe installation mainframe computer system including -errors or critical 

must retain its security and integrity. In the past, while 55 situations' occutring on the computer system. WBen speci- 

limited access and "firewalls" have sometimes been fied mainfran^ system 'alerts or p|-Qb|ems occur a warning 

employed to maintain security, the field engineer or remote alert wih hg'iysued. lliis alertjwill be communicated from 

support person needs wide access to the mainframe com- the console to a dispatch conjrol cente r central processing 

puter to diagnosis and solve the problems. unit at a remote, secur e tncatinn. 

Typically, the dispatch control center is located in a secure 60 dispatcher will monitor any alarm codes received from 

location. This dispatch control center may be at the same the mainframe system. ThG dispatcher will create a tfpnhle 

physical premises as the mainframe customer site or may be tick et for each incoming alarm V a ssign a'field engineer to the 

at a separate location remote from the mainframe. The p roBlem an d c all or btherw^ contact the field engine er, 

remote support person, however, is often times at an unse- Thereafter, t he dispatcher will initiate through the j is- 

cured location and may operate from a laptop or other 65 p atch central processing u nit, a uniqu e, randomly gcneratj'.H 

unsecured central processing unit machine. Additionally, the u ser identification/passwpfdj )air .which is referenced to the 

mainframe computer business has only limited controls over assigned problem number. The user identification/password 
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pair is a data encryption key randomly generated by the staff to control the operations of the mainframe or main- 
dispatch central processing unit. 'Vht data encryption key is frames. Types of messages displayed may be about errors or 
generated from a mathematical algorithm and will be a critical situations occurring on the computer system, 
randomly generated binary code. * ' Examples of problems noted may be a tape drive fault or a 

The identification/password encryption key is transmitted 5 fault in a chip on a board, 

in two separate transmissions over two separate paths. The today's environment, a smgle console may be re^pon- 

data encryption key'is communicated from the dispatcher's ^^^^^ mulUple mamframe computers runnmg multiple 

, ^ ' «u r 11 » .1 computer Operating systems, 

central processmg unit to the field engineer s central pro- , , 

cessing iiDit. AdditionaUy. the dispatch central processing , specified mainframe system alerts, events or problems, 

unit wiU also transmit the data encryption key back to the lO 'he console will .ssue a wammg or alert. I^.s alert will be 

, , , . f • f communicated from the console_14_tnrougn a modem and 

console central processing unit of the mamframe. ^^^^^^^ ^ communications pa th, shown by arro w 30. to,^ 

Once the field engineer has been notified and has received dispatch control center/in dica ted by box 32 . In the present 

the identification/password pair from the dispatch control emDodiment, the communications path may be across the 

center, the field engineer will tog on'and communicate with public Internet network. Each^computer 'or machine will 

the console central processing unit. -^^ have a distinct Internet protocol address. Other communi- 

Data communicated from the field engineer's central cations paths,^ such as corporate * intranets or' private 

processing unit to the console central processing* unit is networks, are possible within the teachings of the present 

encrypted with the identification/password key. The data is mvention. 

subsequently decrypted upon receipt at the console monitor I" »he present embodiment, the secure dispatch control 

central processing unit. Importantly, the password/ cente^32 is located remote Trom the rnainframe site, 

identification pair does not travel over the connection although the teachmgs of the invention apply if the dispatch 

between the field engineer and the mainframe site. c^^^^"" »s at the same location. 

The dispatch control center 32 is ordinarily at a secure 

BRIEF DESCRIPTION OF THE DRAWINGS location. Thus, access to the computer is limited'by physical 

measures such as locked rooms, finge"rprinfing and the like. 

FIG. 1 illustrates a simplified schematic view of a com- Additionally, access to the dispatch central processing unit 

bined remote access and secunty system as set forth m the 34 jjjay require 'passwords prior to log on procedures, 

present mvention. Typically, the dispatch central processing unit 34 includes a 

FIG. 2 illustrates a schematic view of an alternate embodi- keyboard 36 and a display 38. The dispatch central process- 

ment of a combined remote access and security system as set ing unit 34 will be running a client side version of the 

forth in the present invention; application program running 60 the console monitor 16, as 

FIGS. 3 A, 3B, 4, 5A, 5B and 6 are flow charts illustrating previously discussed, 

the sequential steps of the present invention; and A dispatcher (not shown) will monitor incoming alarm 

FIGS. 7 through 13 illustrate sub processes of those in 35 codes received from the mainframe 12. If an alert occurs, it 

FIGS. 3 through 6. will appear on the display screen* 38 of the dispatcher. Upon 

receipt of an'ala'rm code, it Will display in a list on the 

DETAILED DESCRIPTION OF THE display screen 38. 

PREFERRED EMBODIMENTS The dispatcher will c reate a trouble ticket for each incom - 

„ ^ . . , . M ^ An in g alarm in the problem tracking program . Alternatively. 

Referring to the drawings m detail, HG.l illustrates one 40 fhe procedure to create a problem or trouble ticket might be 

preferred embodiment of a schematic diagram of a com- automated . * • • 

bined remote access and security syst em 1 0 of t he present ^ *u- u u 1 * j c 1 j • *i. 

invention ' * — — ' ' been completed, a field engineer or other 

remote support person will be Assigned to the problem and 
At a mainframe computer installation, a single mainframe ^e called or otherwise contacted. In one such procedure, 
12^ multiplejuainfr-ames are located at, a secure location dispatcher will call the field engineer or Vcmote support 
(illustrated .^>L_thc_hox 14)^. In many Industries and person via telephone over a voice line. This connection is 
businesses, large numbers of transactions arc processed on . 5^0^^^ ^Vrow 40*. The field engineer will be assigned a 
an around-the-clock basis. Because of thiS demand, mulUple problem number for the incomihg problem on the main- 
mainframe central processing units are utilized within a frame compute * * * " 

secure computer wmplex. Access may be limited by physi- Thereafter, the dispatch control c enter will initiate a ut ility vAj ^W^U^ 

cal mcasures.such.aslQckcdj.ooms, nngcrpnntmg, and me software pr6gr5?ro?nhrdispa1?H'S^tral proceising uhit 34 

which Vill create a unique , randomly generated use r 

The mainframe or mainframes are connected to a console identification/password pair wh i ch is rcfcrcnced_to Jh£ 

monitor central pit)cessing uqit^J^which typicafly incliides assi gned problem number. I n the FIG. 1 embodiments,, the 

a keyboard 18 and display 20. The console 16 can be user identification/password pair is a data encryption key 

connected witH the mainframe or mainframes in various randomly generated by the dispatch central processing unit 

ways, such as; by a coax or twinax connections 22. 34. 

The console 16, in the present situation, may crnploy a In the present case, the data encryption key is generated 

Windows NH" operating system or other known operating from a mathematical algorithm and will be a randomly 

systems. The operating system will have an application generated binary code of 128 bits. The data encryption key 

program or programs which is in a client-server format and is also time limited so that after a certain period of time, it 

provides console monitoring and console automation fca- will automatically expire. For example, the data encryption 

mres. The application program watches or monitors the key may be valid for a period of 24 hours, after which it is 

console for certain conditions. 65 no longer valid. 

The console 16 is nsffj In ^jriplny bIbImb mrssn^;rs about The identification/password pair is transmitted in two 

the mainframe computer system and allows the operations separate transmissions in two separate paths. The data 
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encryption key is communicated and transmitted from the display 70. The console 66 can be connected with the 

dispatch central prc^essing unit to a remote support person mainframe or mainframes in various ways, such as by coax 

or field engineer central processing unit 50 as shown by or twin ax connections 72. 

arrow 52. The field engineer central processing unit may Alerts, events or problems will be noted by the console 
take many forms, such as a laptop terminal. handJield.PilDr 5 which will issue a warning or alert. This alert will be 

a desktop computer. communicated from the console 66 through a modem and 

The dispatch central processing unit will also transmit the '^/""Sh a communications path, shown by arrow 74, to a 

' i rr i- I 11. 1 u 1 * * ,1, dispatch control center 76. The dispatch control center 

identification/password data encryption key back to the • , , i- . l . i • i_ - 

, , , •* u u -tA includes a dispatch central processing unit 78 having a 

console central processing unit 16 as shown by arrow 24. ^ ^2. Hie dispatch central process- 

The data encryption key is itself also encrypted. The data lo .^^ ^^.^ ^.^ ^ client side version of the 

encryption key is itself decrypted at the field engineer s appUcation program running on the console monitor. If an 

central processmg unit and at the console. gi^rt occurs at the console monitor, it will be transmitted and 

Once the field engineer or remote support person hasjbeen appear on the screen of the dispatch central processing unit, 

notified and has received the identification/password pair Upon receipt of an alarm code, it will display in a list on the 

from the dispatcTi control center, the fiel d engi neer SO^nll display screen 82. The dispatcher will create a trouble ticket 

log on and commuDicat e_withJhejcQnsQlcjceDtral processing for each incoming alarm in the problem tracking program. 

unit' T^ as shown at arrow 54. T^e lie ld e ngineer will b e Alternatively, the procedure to create a problem or trouble 

runn mg a client side version of the same applica t ion pro- ticket might be automated. 

gram. A field engineer or other remote support person will be 

The communication between the field engineer and the assigned to the problem and will be called by a telephone or 

console may be made through a public network such as the otherwise contacted which is shown by arrow 84. lliereafter, 

Internet. The encrypted data is decrypted at the console the dispatch control central processing unit 72 will commu- 

monitor. nicate with a secure name server 86 or 88. The secure name 
The fie ld engineer or remot e support person wiU inpuLand-o. ^^^ver may be located on the premises of the dispatch control 

d ownload the assi &ned_pmblemLJiumbe];-alr&adv-reeeived- ^^°^er or may be remote therefrom. The secure name server 

" frnmjhe disj^^tdTcnntml center 32. The, fielri P.n pmP.er'wi)! will, through a Utility software program, generate a unique, 

^ereby-rctrieve the problem det ails fi-om the cops qIc. The randomly generated user identification/password pair. This 

-fie ld engineer wi nrnrniTbe connected to t h'el^Ii ^ame site . ^ referenced to the assigned problem number. The user 
J m portantly, the password does Hot travel over the c oSm r^ 30 identification/password pair is a data encryption key ran- 

tiop between the field engineer central processin g unit"l 50 ^^^^y generated. The data encryption key is transmitted in 

and the mainframe site 14. " separate transmissions over two separate paths. The data 

— ■■ . : — T r-r ^ , c ij encryption key is communicated and transmitted from the 

Once connected to the mam frame computer s ite, the field /i - . 

— ■ — : — ^ ' — . — r-^ — dispatch central processing unit 78 to a remote support 

engineer or remote_^pp ort per s&a-r ctneve s -nfcce ssary mior- ^ u • .1 • • t' 

— ^ — - ■ . rT ^ ___ J , person or field engmeer central processmg unit 90 as shown 

mation througn t nc console central processing unit 16 via th e 35 ^ arrow 92 r & 

c oax 22 c o nnection to the mainframe 12. llie field engineer, , . , 

tK^^^ccess to the mainframe and will endea vor to solve , ^^^P^'.^*^ f processing unit will also transmit the 

the probl em presented. "" encryption key back to the console central processing 

r -ri . , J L ^ 1 J .., unit 68 which is shown by arrow 94. 

Once the problem is resolved, the field engineer will xr. c u • ^ 1. ^ 

* r . u .1 ** 1-1 .t. * .t_ i_i - L An After the field engmeer or support person has been 
notify the^dispatch control center 32 that the problem has ..^ , . . • j -j .^c / j 

, ^ ij u . -i^TTL- notified and has received the identification/password pair 

been resolved as shown at arrow 26. This may be done in a ^ »i. j - . 1. 1 . .1. u • -n . 

. c . u J * 1 t L from the dispatch control center, the field engmeer will log 

number of ways, IniS may be -done by telephone through . • . -.i. 1 • 

1* Ai* *• ^ 4U c ij ^- < ■ on and communicate with the console processing unit 68 as 

voice line. Alternativdy, the field entincer may corarauni- . . «^ f & 

* *i_ u c ij • » r 1 * en shown by arrow 96. 

cate through the field engineer s central processing unit 50 ^ .... . . . ^ . , 

through a communications line back to the dispatch central 4S Once the problem has been resolved, the field engineer or 

processing unit. This may also be performed through the ^"PPf P^^^" the dispatch control center that the 

Internet problem has been resolved. Thus is illustrated by arrow 98. 

^ ' . . . L L. . • The dispatcher at the dispatch control center closes the 

The dispatcher closes the problem in the problem tracking ^^^^^^ j^j^^ ^^^^ ^ Thereafter, the 

system Thereafter, the unique identification/passwo^ identification/password pair is invalidated so that 

is invahdated so that there is no longer access to the there is no longer access to the mainframe computer site 64. 

mamframc computer. The dispatcher closes the problem in dispatcher closes the problem in the dispatch central 

the dispatch central processing unit database, which then processing unit database which then removes the 

removes the identification/password pair from the console identification/password pair from the console monitor 68 at 

monitor 16 at the mainframe site. mainframe site. 

Each of the computer communications may be made piQs 3 through 13 iUustrate the process of the present 

through a public network such as the Internet. The data invention that will provide remote access to allow servicing 

connection from an unsecured terminal/location is at all of the mainframe computer while providing for security and 

times secured by the present invention. integrity of the mainframe computer instaUation. The pro- 

FIG. 2 illustrates an alternate embodiment 60 wherein the cess will be described in relation to the FIG. 2 embodiment 

Internet protocol address are provided dynamically from a with a pair of dispatch control centers. FIGS. 3 A and 3B 

secure name server central processing unit. illustrate the initial process at the secure customer main- 

At a mainframe computer installation, a single mainframe frame site 14 to monitor for alerts. After the process has been 

62 or multiple mainframes will be located at a secure started, as shown at 100, the console will be checked for 
location (illustrated by box 64). The mainframe or main- 65 alert situations illustrated at box 102. 

frames are connected to a console monitor central process- If there is no unreported alert, as at 104, a check will be 

ing unit 66 which typically includes a keyboard 68 and a made to see whether the reporting interval has expired 106. 
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If the reporting period has expired 106, then the current 
Internet protocol address (IP) will be registered with a first 
secure name server, as seen at 108. If the first secure name 
server does not register the Internet protocol address, then 
the current Internet protocol address will be registered with 
the second secure name server as seen at 110. 

Returning to box 104, if there is an unreported alert, an 
Internet protocol address will be obtained for the first 
dispatch control center from a secure name server central 
processing unit as shown at 112. The secure name server is 
a repository of customer sites and their current IP addresses. 
Once the Internet protocol address has been obtained for 
dispatch center 1, an alert will be reported to the first 
dispatch center, as seen at 116. 

If the report on the alert has been received, box 118, then 
the process can continue. If there is no success, then, as 
shown on FIG. 3B, an Internet protocol address will be 
obtained for dispatch center 2 from either secure name 
server, as shown at 120. If an internal protocol address has 
been obtained for the second dispatch center as shown at 
122, the alert will be reported to the second dispatch center 
as shown at box 124. If the alert is reported as shown at 126, 
the process will again continue in same manner. 

FIG. 4 illustrates the process for a dispatch control center 
to handle an incoming alert from a secure mainframe 
customer site. The FIG. 4 process would chronologically 
follow the process described in FIGS. 3A and 3B. The 
dispatch control center will receive an alert from the main- 
frame customer site 130. A problem ticket or problem 
number will be created in a tradcing system as shown at box 
132. A unique user ID/password pair for the remote support 
person will be generated, as at box 134. An Internet protocol 
address for the customer site will be obtained from a secure 
name server, as seen in box 136. Obtaining an IP address for 
the customer site will be explained in detail below. 

Once the Internet protocol address has been obtained for 
the customer site as shown at 138, a connection will be made 
from the dispatch control center to the customer site as 
shown at 140, 

The remote support person's user ID/password pair will 
be set up on the customer mainframe site 142. After the 
connection with the customer site has been disconnected 
144, a remote support person will be selected from an 
availability list 146. The remote support person may be 
contacted in various fashions, such as by telephone, and 
given the problem number 148. 

FIG. 5 illustrates the process for the remote support 
person or field engineer that would be employed to handle 
the problem that has been reported. This procedure would 
chronologically follow the process shown in FIG. 4. 

As seen in FIG. 5A, once a problem has been received 
from the dispatch control center as shown at box 152, an 
Internet protocol address for the dispatch control center will 
be obtained from one of the secure name servers 154. ITiis 
process will be explained in detail below. 

Once the Intemet protocol address has been obtained for 
the dispatch control center as shown at 156, a connection 
will be made to the dispatch center 158. The name and 
details for the secure mainframe customer site will be 
provided 160. Thereafter, the remote support person will 
disconnect from the dispatch control center 162. 

An Internet protocol address will be obtained for the 
customer site from either of the secure name servers 164. 
Once the Intemet protocol address for the mainframe cus- 
tomer site has been obtained 166, the remote support person 
will connect to the customer site using the Internet protocol 
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as shown at 170. The remote support person or field engineer 
will be able to work to solve the particular problem as seen 
at box 172 and, thereafter, discormect from the mainframe 
customer site 174. 
5 An Intemet protocol address will be obtained for the 
dispatch control center from either secure name server as 
shown at 176. 

Once the Internet protocol address has been obtained by 
the support person for the dispatch center 178, the remote 

10 support person will connect to the dispatch control center 
using that Internet protocol address 180. The support person 
will be able to report completion of the assignment and 
closing of the problem record 182. ITie support person will 
thereafter disconnect from the dispatch center, as shown at 

15 184. 

FIG. 6 illustrates the next sequential process in the overall 
system of the present invention. The dispatch control center 
will invalidate the remote support person's user 
ID/password at the secure mainframe customer site. 

The dispatch control center will obtain an Intemet proto- 
col address for the mainframe customer site from either 
secure name server, as shown at 190. Once an Internet 
protocol address has been obtained 192, a connection will be 
made between the dispatch control center to the console 
^ monitor at the customer site using the Intemet protocol 
address as shown at 194. If no Internet protocol address has 
been obtained, an error will be reported as shown at box 188, 

The dispatch center* s unique user ID/password will be 
provided to the console at the customer site, as seen at box 
196. A session will thereby be established to the console 
monitor at the mainframe customer site (198). The remote 
support person's user ID/password on the ciistomer site 
console will be invalidated as shown at step 200, following 
which the session will be disconnected 202. 

35 

The remaining processes illustrated in FIGS. 7 through 13 

are sub-processes of the foregoing. 

FIG. 7 illustrates the process to register a computer with 

a secure name server central processing unit. A target secure 
4Q name server will be selected by its Intemet protocol address, 

as shown at box 210. The secure name server will be 

provided an access user ID/password pair as seen at box 212. 

A session will thereby be established to the server as shown 

at 214. If the session has been established 216, the Intemet 
45 protocol address for the named machine will be registered 

218. This process is also seen in FIG, 3A at boxes 108 and 

110. 

FIG. 8 illustrates the process to obtain an Internet protocol 
address from a secure name server. This process is shown at 

50 box 112 in FIG. 3A. As seen in FIG. 8, a secure name server 
will be selected by its Internet protocol address, as seen at 
box 220. The secure name server will be provided with an 
access user ID/password 222 in order to establish a session 
224. Once a session has been established, as shown at 226, 

55 an Internet protocol address will be requested for the console 
monitor 228. If the named computer has been defined 230, 
a check will be made whether the named machine has its 
address registered 232, and if the registration is up-to-date 
234. 

60 FIG. 9 illustrates the process for either of two secure name 
servers to obtain an IP address initially from one server and, 
if not successful, from a second server. This process would 
be utaized at 176 in FIG. 5B. 

FIG. 10 illustrates a process to obtain Intemet protocol 

65 address for a mainframe customer site from initially a first 
server and, thereafter, a second server for the customer 
mainframe site. 
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FIG. 11 illustrates the subprocess to report an alert from 
the mainframe customer site to a dispatch center. This step 
is illustrated in FIG. 3 A at box 116. 

The subprocess to connect a remote support person or 
field engineer to a dispatch center is illustrated in FIG. 12. 5 

Finally, the subprocess to connect to the console at a 
mainframe customer site using the Internet protocol address 
is illustrated in FIG. 13. 

Whereas, the present invention has been described in 
relation to the drawings attached hereto, it should be under- jo 
stood that other and further modifications, apart from those 
shown or suggested herein, may be made within the spirit 
and scope of this invention. 

What is claimed is: 

1. A combined remote access and security system for 
servicing a secure mainframe central processing unit having 
a console monitor, which system comprises: 

a secure dispatch control central processing unit for 
receiving problem reports concerning said mainframe 
central processing unit; 

communications means for communicating between said 
mainframe from said console monitor and said dispatch 
control central processing unit; 

a field engineer central processing unit independent from 
said secure mainframe central processing unit and said 
secure dispatch control central processing unit, wherein 
said secure dispatch control central processing unit is 
remote from said mainframe central processing unit 
and wherein said field engineer central processing unit 
is remote from both said mainframe central processing 
unit and said dispatch control central processing unit; 

communication means for communicating between said 
field engineer central processing unit and said dispatch 
control central processing unit; 

a data encryption key randomly generated and transmitted 35 
from said dispatch control central processing unit on 
separate paths and in separate transmissions to both 
said field engineer central processing unit and said 
mainframe central processing unit; and 

communication means between said field engineer central 40 
processing unit and said mainframe central processing 
unit wherein all data transmitted from said field engi- 
neer central processing unit is encrypted and wherein 
said encrypted data received is decrypted at said main- 
frame central processing unit. 45 

2. A combined remote access and security system as set 
forth in claim 1 wherein said data encryption key is time 
limited to expire after a set time period. 

3. A combined remote access and security system as set 
forth in claim 1 wherein said communications means 5Q 
between said mainframe central processing unit and said 
dispatch central processing unit, between said field engineer 
central processing unit and said dispatch central processing 
unit and between said field engineer central processing unit 
and said mainframe central processing unit is via the Internet 55 
network. 

4. A combined remote access and security system as set 
forth in claim 1 wherein said console monitor includes a 
central processing unit having monitoring and automation 
capabilities. 



5. A combined remote access and security system as set 
forth in claim 4 including a plurahty of mainframe central 
processing units connected to said console. 

6. A combined remote access and security system as set 
forth in claim 1 wherein said communications means for 
communicating between said mainframe and said dispatch 
control central processing unit and said communications 
means between said field engineer central processing unit 
and said dispatch control central processing unit are through 
a communications path with each said central processing 
unit has a distinct Internet protocol address. 

7. A combined remote access and security system as set 
forth in claim 6 wherein said Internet protocol addresses are 
stored in a secure name server. 

8. A process to remotely access and service a secure 
mainframe central processing unit having a console monitor, 
which process comprises: 

communicating a problem with said mainframe central 
processing unit from said console monitor to a remote 
dispatch control center central processing unit; 

randomly generating a data encryption key at said remote 
dispatch control center processing unit; 

transmitting said data encryption key from said remote 
dispatch control center on separate paths in separate 
transmission to both said mainframe central processing 
unit and to a field engineer central processing unit, 
wherein said field engineer central processing unit is 
independent and remote from both said mainframe 
central processing unit and said dispatch control central 
processing unit; and 

communicating between said field engineer central pro- 
cessing unit and said mainframe wherein all data trans- 
mitted from said field engineer central processing unit 
is encrypted and then decrypted at said mainframe 
central processing unit. 

9. A process to remotely access and service a secure 
mainframe central processing unit as set forth in claim 8 
including the additional step of time limiting the data 
encryption key to expire after a set period of time. 

10. A process to remotely access and service a secure 
mainframe central processing unit as set forth in claim 8 
including the additional, initial step of monitoring said 
console monitor for certain conditions which are identified 
as problems. 

11. A process to remotely access and service a secure 
mainframe central processing unit as set forth in claim 8 
wherein the steps of communicating said problem, transmit- 
ting said data encryption key, and communicating between 
said field engineer central processing unit and said main- 
frame are done over the Internet network. 

12. A process to remotely access and service a mainframe 
central processing unit as set forth in claim 8 including the 
additional step of the dispatch control center contacting said 
field engineer after communicating said problem to said 
dispatch control center. 
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over a computer network which includes the steps of input- 
ting the message to be transmitted at a first device and then 
encrypting the message at the first device. An address for a 
dynamically addressed server is obtained and the first device 
is connected to the dynamically addressed server The 
encrypted message is transmitted from the first device to the 
server and the message is received at the dynamically 
addressed server. The message is transmitted from the server 
to a second device and then the message is decrypted at the 
second device. 
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BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention is directed to an apparatus and 
method for a secure electronic mail communication system. 
More particularly, the invention is directed for use in com- 
municating over networks where secure information 
exchange is required. The invention has utility in applica- 
tions such asperson-lo-person communication over network 
systems, communications over the Internet, interbusiness 
network communications where security is required, and the 
like. 

2. Prior Art 

The use of keys for secure communications is well 
known. Secure communication systems, as well * as key 
systems, are shown in U.S. Pat. No. 4,182,933, issued to 
Rosenbluxn on Jan. 8, 1980, entitled "Secure Communica- 
tion System With Remote Key Setting"; U.S. Pat. No. 
4,310,720, issiied to Check, Jr. on Jan. 12, 1982; entitled 
"Computer Accessing System"; U.S. Pat. No. 4^78,531, 
issued to Everhart et al., on Mar. 25, 1986, entitled "Encryp- 
tion System Key Distribution Method and Apparatus"; U.S. 
Pat. No. 4,965,804, issued to Trt)ovich et al. on Oct. 23, 
1990, entitled "Key Management for Encrypted Packet- 
Based Networks"; U.S. Pat. No. 5,204,961, issued to Barlow 
on Apr. 20, 1993, entitled "Computer Network Operating 
With Multi-Level Hierarchial Security With Selectable 
Common Trust Realms and Corresponding Security Proto- 
cols"; and U.S. Pat. No. 5,416,842, issued to Aziz on May 
16, 1995 entitled "Method and Apparatus For Key- 
Management Scheme For Use With Internet Protocols Al 
Site Firewalls". 

U.S. Pat. No. 4,182,933, issued to Rosenblum on Jan. 8, 
1980, discusses a "Secure Communication System' With 
Remote Key Setting". ThQ Rosenblum' *933 patent describes 
a system wherein a first subscriber communicates with a key 
distribution center to gel an updated key to initiate secure 
communications with a second subscriber. An overview of 
the system shows that the user dials a telephone number into 
the first subscribing unit. ITie first subscribing unit then 
places the telephone number into temporary memory stor- 
age. The first subscriber then retrieves its initial caller 
variable from memory and places it into a key generator. The 
first subscriber then retrieves the number of the key distri- 
bution center (KDC) from its memory and dials the number. 
Once a connection has been established the first subscriber 
sends its caller ID as well as the caller ID of the telephone 
number being called to the KDC. This information is not yet 
transmitted in a secure manner. 

Once the KDC has received the information from the first 
subscriber, the KDC looks up the caller variable for both the 



J9,108 Bl 

2 

first subscriber and for the telephone number being called. 
The KDC then generates a new caller variable for the first 
telephone number. The KDC then transmits the caller vari- 
able for the number being called, a new caller variable for 

5 the first subscriber, using a secure transmission controlled by 
the initial caller variable. If this transmission is successful, 
then the KDC will replace the old caller variable in its table 
format with a new caller variable and break the connection. 
Once the first subscriber has received and deciphered the 

jQ caller variable for the number to be called and its new key 
caller variable, it will replace the old and used initial caller 
variable key with the new caller variable key. The first 
subscriber will then send the key for the number to be called 
to the key generator, retrieve the telephone number to be 
called, and dial the telephone number. The first subscriber 
will then transmit any information input by the user to the 
second subscriber using the second subscriber key. The 
second subscriber will receive information that has been 
encoded with the second subscriber key and will decode the 

2Q information and transfer it on to the second user In an 
alternative embodiment, after the phone call between the 
first subscriber and second subscriber, the second subscriber 
will call and get a new key from the KDC. In this alternative 
embodiment, both the key for the first subscriber and for the 

25 second subscriber will be changed out on every telephone 
call. 

U.S. Pat. No. 4^10,720, issued to Check, Jr. on Jan. 12, 
1982 discloses a "Computer Accessing System". The speci- 
fication discloses a method for communicating between an 

30 access unit and a computer. The user enters his password 
into an input device which is connected to an access unit. 
The access unit generates a pseudo random access key from 
the password that is entered. The access unit then sends the 
access unit number and the generated access key to the 

35 computer controller for access to the computer system. The 
computer controller receives the access unit number and 
access key. The computer controller then verifies the access 
unit number. If the access unit number is properly verified, 
the computer controller will then compare the access code to 

40 the expected access code listed in a table in the computer's 
memory. This expected access code is generated using a 
congruent pseudo-random decoding algorthym. If the access 
key code and the expected code match, then the computer 
controller will establish a link between the access unit and 

45 the computer. 

The access unit and the computer will talk through an 
encoded communication system. Both the access unit and 
the computer will use a randomly generated encryption key 
for encoding and decoding the communication. This key is 

so independently generated by both the access unit and the 
computer and is not transmitted over the access unit to 
computer link. After the termination of the call between the 
access unit and the computer, the computer will generate and 
store the next access key number for that particular access 

55 unit. 

U.S. Pat. No. 4,578,531 issued to Everhart el al. on Mar. 
25, 1986 discloses an "Encryption System Key Distribution 
Method and Apparatus". This system allows the secure 
method for communication between a terminal "A" and 

60 terminal "B" by using a remote key distribution center. An 
initial signal is sent from terminal "A" to terminal "B" to 
initiate the process of generating a secure communication 
line. Terminal "A" then generates a new call set up key in 
preparation for communication with the key distribution 

65 center, and a partial session key which will be transmitted 
through the key distribution center to terminal "B". Terminal 
"A" then updates its verification information in preparation 
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for communication with the key distribution center. Termi- 
nal "A" then initiates the connection with the key distribu- 
tion center to which it sends its terminal address and the 
terminal "B" address and an encrypted message including 
the two generated keys and the verification information. At 5 
this point, terminal "A" will wait for the processing by the 
key distribution center 

llie key distribution center will read the address infor- 
mation from the signal sent from terminal "A" and use this 
to access a de-cryption key previously sent in communica- ^0 
tion with terminal "A". The message from terminal "A" will 
then be de-crypted and the verification information will be 
updated. ITie key distribution center will then generate a 
bidirectional asymmetric encryption/de-cryption key pair. 
The first part of this key pair will be sent to terminal "A", ^5 
and the second part of the key pair will be sent to tenninal 
"B". A similar communication will happen with terminal 
"B". 

The message to terminal "A" wil! consist of a subsequent 
call key for the next communication with a KDC, a partial 
session key which it received from terminal "B", verification 
information, and two other variables "Y" and "Q". These 
five pieces of information will be encrypted using the call set 
up key for the present communication with tenninal "A" and 
the information will be transmitted to terminal "A". A ^ 
similar encrypted message will also be sent to terminal "B" 
from the KDC. 

Terminal "A" will de-crypt the message from the KDC 
and verify that the information is correct. Terminal "A" will 
then store the new communication key for the next com- 
munication with the KDC, take down the channel to the 
KDC, and establish a communication channel with terminal 
"B". A similar process will happen at terminal "B". At this 
point, terminal "A" and "B" will be able to communicate ^5 
securely using the partial keys that were exchanged through 
the KDC. Terminals "A" and "B" can then use a random 
number and the variables "Y" and "0" to create a new key 
which may be used to communicate securely between ter- 
minals "A" and "B". By using the variables and a random ^ 
number to generate a new communication key, a secure 
communication encryption message may be employed 
which cannot be known by any outsiders to terminal "A" and 
"B", including the KDC. 

U.S. Pat. No. 4,965,804, issued to Trbovich et ah, on Oct. 45 
23, 1990, discloses a "Key Management For Encrypted 
Packet Based Networks". This method of key management 
uses a key distribution center for sending keys to remote 
locations so that a secure communication can be made. 
Specifically, the system is designed to be compatible with 50 
X.25 type packet switching networks. This compatibility 
requires a balanced transmission which is implemented by a 
transparent device between the source DTE and second 
YDTTS. The source DTE sends a transmit request to the 
transparent device which responds with a dummy signal 55 
back to the source DTE. The transparent device then con- 
tacts the key management system and obtains a key. A 
similar key is sent to the transparent device for the second 
DTE. The transparent devices for the first DTE and the 
second DTE then establish a communication network with ^ 
an encrypted signal transfer, and finally the source DTE talks 
to the second DTE through the transparent devices and the 
encrypted connection. 

U.S. Pat. No, 5,204,961, issued to Barlow on Apr. 20, 
1993, discloses a "Computer Network Rating With Mulli- 65 
Level Hierarchial Security With Selectable Common Trust 
Realms and Corresponding Security Protocols". The inven- 



tion involves a method for setting up network communica- 
tions between two trusted computer systems. Each trusted 
computer has a common set of protocols for the protection 
of data contained therein. Thus, if a u.ser for a trusted 
computer system attempts to send data to a non-trusted 
computer system, then the trusted computer system will stop 
the message transfer and will not allow the communication 
to occur This system operates as a method for two trusted 
computers to talk over a network which is not physically 
secure against interlopers. Each computer that is a member 
of a specific trust reahn enforces a predefined security policy 
and defines security levels for the data contained within the 
computer Before a trxisted computer transmits a specified 
message, the trusted computer checks the trust realm table to 
verify that both the transmitting and receiving computers are 
part of at least one common trust realm. If both computers 
are part of a common trust realm, then the message will be 
transferred using the appropriate protocol for that trust 
realm. If the computers are not both members of the trust 
realm, then the message will not be transmitted. The com- 
munication between two trusted computers consists of a 
message which is transmitted as a protocol data unit which 
includes a sealed version of the message, authenticated 
identifies for the sending system and user, the message 
security level label, and an identifier for the selected trust 
realm. The transmitted message is then received, processed 
for validity and if valid, the message is processed within the 
receiving computer 

U.S. Pat. No. 5,416,842, issued to Aziz on May 16, 1995, 
discloses a "Method and Apparatus For Key-Management 
Scheme For Use With Internet Protocols at Site Firewalls". 
This system consists of separate private networks which 
communicate over an Internet type connection through 
firewalls. A private network "I" communicates through a 
firewall "A" to the Internet where the message is transferred 
to firewall "B" and then decoded and sent on to another 
private network "J". This allows private network "I" and 
private network "J" to communicate in a secure encapsu- 
lated message while having firewall protection. The inven- 
tion begins with a source node "I" sending a data gram to the 
firewall "A". Firewall "A" has a secret value "SA" and a 
public value "PA". Similarly, firewall "B" is provided with 
a secret value "SB" and a public value "PB". In this manner 
both firewall "A" and firewall "B" can acquire a shared 
secret value "SAB" without having to communicate. '^The 
communication is initiated by providing firewall "A" and 
firewall "B" with initial values for all other secure firewalls 
on the network. Firewalls "A" and "B" then use secret value 
"SAB" to create a key "KAB". The transmitting firewall 
then generates a random key "KP" which is used to encrypt 
the received data. The key "KP" and the encrypted data are 
then all encrypted by the public key "KAB" for transmission 
over the Internet. Firewall "B" will then use key "KAB" to 
de-crypt the message for the private key "KP" and de-crypt 
the data that has been transmitted. In this manner the 
transmitting firewall can constantly be changing the private 
key "KP" which increases the security of the system. 

The above-described key distribution and encryption sys- 
tems sufiFer from the drawbacks of using known communi- 
cation pathways, having known addresses, and some sys- 
tems even transfer secure key information over the 
communication lines. 

Hence, there is a need for an improved communication 
method which allows for encrypted information transfer to 
dynamic locations without transmitting the keys over the 
communication line. 

Additionally, there remains a need for a mechanism in 
which to log on to a computer system securely without 
passing password. 
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BRIEF SUMMARY OF TIIE INVENTION 

Id accordance with the present invention, an improved 
encoded or encrypted method for transferring information is 
provided which addresses the drawbacks of the prior art 
devices. 

In accordance with one embodiment of the present inven- 
tion a message is input to a first device which obtains a 
dynamic address from a first server to allow for connection 
to a second server. 

A further embodiment of the invention allows for trans- 
mitting the message from the first device to the second 
server, receiving the message at the second server, storing 
the message until transfer to a second device as requested, 
and then transmitting the message to the second device from 
the second server. 

Another embodiment of the present invention allows for 
encoding the message before it is input to the first device, 
and decoding the message after it has been received at the 
second device. 

Yet another embodiment of the present invention allows 
for multiple servers which can be contacted to obtain the 
dynamic address of another server. 

A still further embodiment of the present invention uses a 
remote administrator to control access both to the first server 
for obtaining the dynaniic addresses, and to the second 
server for message transfers. 

In accordance with another embodiment of the present 
invention, the user access to the secure name server is 
controlled by a remote administrator which creates, autho- 
rizes and deletes valid user ID/password combinations. 

In accordance with another example of the present 
invention, the system allows for an electronic mail transfej: 
between two users where a direct communication between 
the first user and second user never occurs . In this manner, 
two users can communicate without actually having a direc t 
conn ection which is detectable by other parties. 

The principal object of the present invention is to provide 
an easy to use. ^^tected. e lectronic mail system for com - ^ 
munication. ^ 

Another object of the present invention is to allow for the 
establishment of multiple electronic mail servers for differ- 
ent user categories. 

A still further object of the present invention is to provide 45 
for a system which can communication on both secure and 
non-secure electronic mail servers. 

Yet another object of the present invention is to provide 
for a program which allows for automatic and immediate 
deletion of electronic mail messages once they have been 50 
sent. 

Other objects and further scope of the applicability of the 
present invention will become apparent from the detailed 
description to follow, taken in conjunction with the accom- 
panying drawings wherein like parts are designated by like 55 
reference numerals. 

DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a schematic view of a network communication 
arrangement utilizing a secure electronic mail system of the 
present invention. 

FIG. 2 is a flow chart representation of the process to 
remotely administrate electronic mail accounts. 

FIG. 3 is a flow chart representation of the process used 
to send mail. 65 

FIG. 4 is a flow chart representation of a process used to 
retrieve mail. 
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FIG. 5 is a flow chart representation of a process to 
register a machine with a secure name server. 

FIG, 6 is a flow chart representation of a process for 
obtaining an IP address from alternate secure name servers. 

FIG, 7 is a flow chart representation of a process to get an 
IP address from a particular secure name server. 

FIG. 8 is a flow chart representation of a connection 
process to a secure electronic mail server. 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENTS 

In accordance with one exemplary embodiment of the 
present invention as shown in FIG. 1, a protected commu- 
nication network is generally designated by the reference 
numeral 10. - — ■ 

In the preferred embodiment, the protected communica- 
tion ne twork 10 ronsLsts of a , first rifintral prT>rr,fi8ing unit or 
u ser 12 , a secure name serve r 14. a s eciire electronic m ail 
server 16', a second central processin g_unit_ Qr_user 18, a 
remote administrato r_20 and a connecting network 22. The 
general operation of the overall system will be outlined in 
the following 'discussion'. 

Initially, the secure electronic mail server 16 will jeslablish 
a link to a connecting network 22 and obtain a dynamic 
address. The dynamic "address is standardly assigned by the 
network to a user of the network. An example of a dynamic 
address is a dynamic Internet protocol address for commu- 
nicating over the Internet or world wide wpb. The secuj-e 
electron ic mail s erver 16 wifl then contact the secure nam e 
server "1 4 which has *a tixcd address on the connecting 
network 22. The secure electronic mail server 16 wiU then 
notify the secure name server 14 of the secure electronic 
mail server's 16 dynamic address on the connecting network 
22. The communication between the secure electronic mail 
server 16 and the secure name server 14 wil l then be 
d^isgflulinugsl- 

It will be understood that the present invention will be 
applicable to various types of networks. 

Next, the remote administrator 20 w ill log _onjQ_lhc 
connecting network 22 and communicate with the secur e 
name server 14 . No'te that this communication is a protected 
communication to allow for a protected information transfer. 
The secure name server l4 transfers the dynamic address of 
the secure electronic mail server 16 to the remote adminis- 
trator 20. The communication between ftie secure name 
server 14 and the remote administrator 20 is t hen discon - 
tinued. ' * • ' 

In an alternate embodiment, the remote administrator 20 
will establish logon protocol for users to access the secure 
name server 14. The remote adrhinis'trator 20 wil l then have 
the information to pass on to users of the protected com - 
munication network 10 to allow them to access the secure^ 
name server 14 through their logonjH Qlocol. In this manner, 
access to the secure name server 14 is controlled b y the 
logon protocol, and only users authorized by the remote 
"^i=niniRtratnr 2Q will hf. allowed to access thc secure name 
5£rMfiLl4. 

After receiving the dynamic address of the secure elec- 
tronic mail server 16, 't he remote administrator 20 wil l 
imtiate a communication with the secure electromc_ma.it 
server lb over the network 22. Once ag ain7t&is is a-prateclcd 
i ntormation_transfer communication. D u ring thi s 
c ommunicafion. ^tb e remote administrator 20 will create , 
change, a nd delete authorized user ID/password' combin a- 
tjons for accessing the secure electronic mail server 16. The 
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communication bctwcei) jh^ remnte administrflto r ?.0 and thf Fourth, because the secure name server 14 requires a 

secure electronic mail server 16 will then he discontinue d. proper log protocol combination, the dynam ic address of the 

As different users require f^ f-f-j^^^ 'n the <^y ^te\n, re moK secure electronic mail server 16 is not easily obtained. 

administrator 20 wi ll provide the appropriate logon protoco l Fifth, because the secure name server 14 transfers the 
a nd/or auth orise d ID/password combinations to the users to 5 dynamic address of the secure electronic mail server 16 in an 

a Ubw for access to the protected commuiiication netwo rk encrypted message, a first level of encryption must be 

ID. In t his example, both the first use r 12 and the second user broken just to obtain the dynamic address for the secure 

18 cont act the remote administrator ^0 for authorized logon electronic mail server 16. 

protocol and user ID/password combinations. — sixth, because a communication between a user and the 

The first user 12 now wishes to write and send an secure mail server 16 is protected, a second level of encryp- 

electronic mail communication to the second user; 18 over tion must be broken to obtain the message, 

the protected communication network' 10. The' first user 12 Seventh, because the users can be using an additional 

uses his uniqu'e logon protocol combmation to access the protection or encryption system that is unknown to the 

secure name server 14 over the connectmg network 22. Once secure networks, an additional level of protection can be 

again, this is a protected communication. Th^first user 12 ^g^j between the first user 12 and the second user 18. This 

t hen obtains the dynamic address of the secure elect ronic additional level must also be broken to obtain the message 

mill server 16 f rom the secure Tiame^se ixe LM: T he com- (gj^j 

tnunication between the first user 12 and the secure name ^ u.. . . • . n j u 

a r- =1— — Eighth, bccause the entire system is controlled by a 

s erver 14 is then discontinuea. Tj--..'^ni * i j j 

— . . , , ... 70 remote administrator 20, logon protocols, passwords, and 

The first user 12 now uses his ID/password cpmbination ^ constantly updated and changed. Any compro- 

and the dynamic address to log onto the secure electronic j ic/password combinations can be 

mad server 16. Once the -first user U has logged.on to the in,n,ediately deleted from the system by the remote admin- 

secure electronic mail server 16, the first user s 12 electromc istrator 20 

mail message is then protected by a protection method, such , , ". , . , . 

asencrvption;a nd seiit on the communicationneivm tkilJo ^ '"'*'>°°' apphcations of the present system 

the'desienated rgdpienfs box on the secure electron ic!mail I'"?^"^^ \ ^P'^-" communication 

server 16. Id 'this example, the information would be stored l"""'^ admimstrator 20 and a secure electronic 

in'ThHTcond user's box. The communication bStwe^n the "J^'' ^^^^^ ''f"''^ ''^ '"'^^'i"' communication 

first user 12 and secure electronic mail server 16 is then ^^'''''S.h another electromc mail server 16. 

broken. While these descriptions of protection levels illustrate one 

^ At randnm interva'^ the second user 18 will use his example of the present invention, it is to be understood that 

I ^plfa!no|on^F5t^to obtain the dynamic 'address of the ^^e different levels of protection or additional levels of 

electronic mail ^rC'er 16 fr'om'th^securename'server 14 and protection may be implemented in conjunction with the 

th en access the secure ele'ctfonic mail server 16 with h is P^^^"^ invention to further enhance security. 

ID/Password combination fo see if 20 the re are messagcTfor The sub-processes for communicating throughout the 

t he second userJL^ . If there are messages in the second u^r's network include the process to administrate electronic mail 

box on the secure mail server 16, the s'ecure electronic mail accounts, the process to send electronic mail, the process to 

server 16 will notify the second user 18 that there are retrieve mail, the process to register a machine with a secure 

messages available for fetrievaL The secure electronic mail name server, the process to obtain a dynamic address from 
server 16 will 'then use a protected transfer to send the ^ alternate secure name servers, the process to get an address 

electronic mail" message frOm the first user 12 to the second from a secure name server, and the process to connect to a 

user 18 over the connecting network 22. The communication secure electronic mail server. 

between the second user 18 and the secure electronic mail Each of the sub-processes for communicating will be 

server 16 is then discontinued. Thus, a message has been given further detail in the following discussion, 
transferred from the first user 12 to the second user 18 

without a direct connection between the first user 12 and the Process to Administrate Electronic Mail Accounts 

second user 18. Pjq 2 of the drawings outlines the process by which the 

It will also be understood that, in an alternate rtmoic administrator sets up the user ID/password combi- 

arrangement, the secure name server and the secure mail nations. The process starts 30 by initializing the parameters 

server may reside on the same computer system. necessary for operation of the process. ITie system will then 

'Yh& aforementioned method of communication provides check a first secure name server 32 for the dynamic address 

several levels of communication protection against outside of the secure mail server. Block 34 represents the system 

interference for unwanted monitoring. checking to see it properly obtained the dynamic address of 

First, the first user 12 and the second user 18 never 55 secure mail server from the first secure name server. If the 

communicate directly. Thus, an outside person must monitor system is successful in obtaining the secure mail server 

multiple communication pathways to detect communication dynamic address from the first secure name server, the 

between the first user 12 and the second user 18. system will move on connect to the mail server as shown at 

Second, because the secure electronic mail server uses a block 36. 
dynamic address, the communication pathways to and from 60 If the system is not successful in obtaining the dynamic 

the secure electronic mail server 16 are constantly changing. address of the secure mail server from the first name server 

This increases the difficulty of monitoring communication as shown in block 34, the system will move on to attempt to 

with the secure electronic mail server 16. obtain the dynamic address of the secure mail server from 

Third, because the dynamic address of the secure elec- the second secure name server, as shown in block 48. As 
tronic mail server 16 must be obtained from the secure name 6S shown in block 50, the system will check to see if it has now 

server 14, the address of the secure name server 14 must be successfully retrieved the secure mail server dynamic 

known. address from the second secure name server. If the system is 
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successful then the system will move on to connect to the 
secure mail server as shown in block 36. If the system has 
not successfully obtained the dynamic address of the secure 
mail server from either the first name server or the second 
secure name server the system will send back a report error 
as shown in block 52 and return an error code to the user as 
shown in block 54. 

if the system has successfully obtained the dynamic 
address of the secure mail server, it will connect to the 
secure mail server using the dynamic address as shown in 
block 36. The remote administrator will then be able to add 
user ID/passwords as shown in block 38, modify user 
ID/passwords as shown in block 40, and delete user 
ID/passwords as shown in block 42. The remote adminis- 
trator will then disconnect from the secure mail server as 
shown in block 44. The system will then end the process to 
remotely administrate as shown in block 46. 

A similar process could be adapted to change the logon 
protocol for the secure name servers. 

Process Used to Send Electronic Mai l 

FIG. 3 of the drawings outlines the process by which the 
secure electronic mail programs send mail communications. 
The process will start 60 by initializing the parameters 
necessary for operation of the process. The user will then use 
his logon protocol to check a first secure name server 62 for 
the dynamic address of the secure mail server. Block 64 
represents checking to see it properly obtained the dynamic 
address of secure mail server 20 from the first secure name 
server. If the user is successful in obtaining the secure mail 
server dynamic address from the first secure name server, the 
user will move on connect to the mail server at block 66. 

If the system is not successful in obtaining the dynamic 
address of the secure mail server from the first name server 
as shown in block 64, the system will move on to get the 
dynamic address of the secure mail server from the second 
secure name server, as shown in block 74. As shown in block 
76, the user will check to see if it has now successfully 
retrieved the secure mail server dynamic address from the 
second secure name server. If the user Ls successful, then the 
user will move on to connect to the secure mail server as 
shown in block 66. If the user has not successfully obtained 
the dynamic address of the secure mail server from either the 
first name server or the second secure name server, the user 
will send back the report error as shown in block 78 and 
return the error code to the operator as shown in block 80. 

If the user has successfully used its logon protocol to 
obtain the dynamic address of the secure electronic mail 
server, it will connect to the secure mail server using the 
dynamic address as shown in block 66. 

Once the user has successfully connected to the electronic 
mail server, the electronic mail is protected and sent to the 
electronic mail server as shown at block 68. The user then 
disconnects from the secure electronic mail server as shown 
at block 70, and ends the process as shown at block 72. 

^ ProcessUsed to Retrieve Mail 

RG. 4 of the drawings outlines the process by which a 
^ser retrieves mail from the secure maiT serve r. The process 
wiir start liU by initializing (tie 'parameters necessary for 
operation of the process. The user will use its logon protocol 
to check a first secure name server 92 for the dynamic 
address of the secure mail server. Block 94 represents the 
user checking to see it properly obtained the dynamic 
address of secure mail server from the first secure name 
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server. If the user is successful in obtaining the secure mail 
server dynamic address fromjhe first secure name server, the 
user will move on connect to the mail server at block 96. 
If the user is not successful in obtaining the dynamic 

5 address of the secure niail server from the first name server 
as shown in* block 94, the user will' move on to get the 
dynamic address of th'e secure mail server from the second 
secure name server, as' shown in block 110. As shown in 
block 112, the u^r will check to see if it has how succ'ess- 

10 fully retrieved the secure mail server dynaniic address from 
the second secure name server. I f the user is succcssfiiL then 
t he systetn will thove on to connect to the secure mai^ fj^yvg ^ 
as shown' in block 9^ . If the system has not successfully 
obtained the dynamic address of the secure mail server from 

15 either the first liame server or the second secure name server, 
the user will send back the report error as shown in block 116 
and return the error code to the user as shown in block 118. 

Once the user or retrieval program has properly connected 
to the electron ic in ail server, the electronic mail program 
v nU check to see it mail is available as shQw aia-blQckJ>.8. 

If mail is available in block 98, then the retrieval program 
will retrieve the message headers as shown in block 10 0. 
retrieve the selected me5;sag p as shown jp hInrV IP'?, delei e 

^ t he message fi-om the secure mail server as shown in bloc k 
lj4. and disconnect from the secure electronic mail server 
as shown* in block 106. The retrieval program will then 
restore the necessary parameters to properly end this proces s 
as shown m block 108, 

30 If it is detected in block 98 that mail is not available, the 
retrieval program will disconnect from the .secure mail 
server as shown in block 114. 

Process to Register Machine with a Secure Name 

As shown in FIG. 5, when a user, administrator, or secure 
electronic mail server logs onto the system with a dynamic 
address, the secure name server is contacted, llie process for 
establishing this connection and supplying the proper 
^ dynamic address to the secure name server is outlined as 
follows. 

As shown in block 120, the registering CPU machine 
selects an appropriate secure name server to be contacted, 
llie registering machine then supplies the secure name 
server with these proper logon protocol combination as 
shown in block 122. As shown in block 124, a session with 
a secure name server is then established. If the session is 
successfully established as shown in block 126, then the 
machine will go on to register the dynamic address for the 
named machine 128, discormect the session 130, and then 
properly shut down this process as shown in block 134. 

If the session was not properiy established in block 126, 
then the machine will report an error to the user or operator 
at block 136, and return an error code as shown in block 138. 

Process to Obtain a Dynamic Address from 
Alternate Secure Name Servers 

FIG. 2 of the drawings outlines the process by which a 
60 network user obtains a dynamic address from multiple 
secure name servers. The network user will use his logon 
protocol to check a first secure name server 140 for the 
dynamic address of the secure mail server. Block 141 
represents the user checking to sec it properly obtained the 
65 dynamic address of secure mail server from the first secure 
name server. If the user is successful in obtaining the secure 
mail server dynamic address from the first secure name 
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server, the system will return the dynamic address to the user 
program as shown at block 142. 

If the user is not successful in obtaining the dynamic 
address of the secure mail server from the first name server 
as shown in block 141, the user will move on to get the 5 
dynamic address of the secure mail server, from the second 
secure name server, as shown in block 143. As shown in 
block 144, the user will use its logon protocol to check to see 
if it has now successfully retrieved the secure mail server 
dynamic address from the second secure name server. If the lO 
user is successful then the system will return the dynamic 
address to the user program as shown in block 142. If the 
user has not successfully obtained the dynamic address of 
the secure mail server from either the first name server or the 
second secure name server, the system will send back the 15 
report error as shown in block 145 and return the error code 
to the user as shown in block 146. 



Process to Get an Address from a Secure Name 
Server 
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FIG. 7 of the drawings outlines the process by which an 
unknown address, such as the dynamic address of a secure 
mail server, is obtained from a secure name server. The 
process starts by selecting the target secure name server 
machine by its fixed address/name as shown in block 150. 25 
The user then provides the secure name server with its logon 
protocol combination as shown at block 152. If the user 
logon combination is verified then a session is established 
with a secure name server as shown at block 154. As shown 
at block 156, if the session has not been correctly established 33 
then the secure name server will report an error code as 
shown at block 178 and return the error code to the user as 
shown at block 180. 

Returning to block 156, if the session has been correctly 
established as shown at block 156, then the user will be 35 
allowed to request the address for the named machine at the 
client site as shown at block 158. 

The system will then perform a series of checks to see if 
the named machine has been properly identified. If the 
named machine has not been properly identified, shown at 40 
block 160, then the system will be disconnected as shown at 
block 172, move on to reporting the error code as shown at 
block 178, and continue processing. 

If the named machine has been properly defined as shown 
at block 160, then the system will check to see if the named 45 
machine has properly registered its address shown at block 
162. If the address has not been correctly registered, then the 
system will move on to disconnect session as shown at block 
174, report the error code as shown at block 178, and 
continue processing. If the named machine has properly 50 
registered its address as shown at block 162, then the 
machine will check to see if the registration is up to date as 
shown at block 164. 

If the registration is not properly up to date as shown at 
block 164, then the system will disconnect the session as 55 
shown at block 176, move on to report the error code as 
shown at block 178, and continue processing. 

If the system registration has been properly updated as 
shown at block 164, then the system will return the obtained 
address as shown in block 168 and disconnect the session as ^ 
shown in block 166. The system will then end processing as 
shown at block 170. 

^ Process to Connect to Secure Electronic 
S«vcx 

FIG. 8 of the drawings outlines the process by which a 
connection to a secure electronic mail server is made. The 
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process begins by the user selecting the secure electronic 
mail server using the current dynamic address as shown at 
block 190. Th e user will then provide the user ID/password 
combination for the tar & et secure mail's c rver as shown ar 
Mock 192 . The user will then attempt t o establish a session 
with secure electronic mail'serveiLas shown at block 194. 
The system will check to make sure that the session has been 
correctly established as shown at block 196. 

If the session has been correctly established as shown at 
block 196, then the system will return to processing as 
shown at block 198 and allow the user to continue. 

If the communication session has not been correctly 
established as shown at block 196, then the system will 
report an error as shown at block 200 and fonvard the error 
back to the user as shown at block 202. 

'ITie preferred embodiment of the present invention uses 
multiple secured name servers to allow for access to the 
secure mail server. However, it is also envisioned that a 
single secure name server or additional secure name servers 
could be used with this invention. It is also envisioned that 
the secure name server and the secure mail server could 
reside on the same machine. In this manner, two separate 
communication lines would be necessary to allow for the 
fixed address of the secure name server while providing for 
a dynamic address of the secure mail server. 

It is also envisioned that the logon combination and user 
ID/password combination could be identical. 

While the foregoing detailed description has described 
several embodiments of the secure electronic mail system in 
accordance with this invention, it is to be understood that the 
above description is illustrative and not limiting of the 
disclosed invention. 

The claims and the specification describe the invention 
presented and the terms that are employed in the claims draw 
their meaning from the use of such terms in the specification. 
The same terms employed in the prior art may be broader in 
meaning than specifically employed herein. Whenever there 
is a question between the broader definition of such terms 
used in the prior art and the more specific use of the terms 
herein, the more specific meaning is meant. 

While the invention has been described with a certain 
degree of particularity, it is manifest that many changes may 
be made in the details of construction and the arrangement 
of components without departing from the spirit and scope 
of this disclosure. It is understood that the invention is not 
limited to the embodiments set forth herein for purposes of 
exemplification, but is to be limited only by the scope of the 
attached claim or claims, including the full range of equiva- 
lency to which each element thereof is entitled. 

What is claimed is: 

1. A method for transferring messages on a computer 
network, comprising: 
encoding a message; 

inputting said message to be transmitted at a first device; 

encrypting said message at said first device; 

retrieving an address for a dynamically addressed mail 
server by contacting a first secure name server separate 
from said mail server using a unique combination 
ID/password to retrieve said dynamic address; 

connecting said first device to said mail server using said 
server dynamic address; 

transmitting said encrypted message from said first device 
to said mail server; 

receiving said message at said mail server; 

transmitting said message from said mail server to a 
second device; 



us 6,499, 

13 

decrypting said message at said second device; and 
decoding said message. 

2. 'Ilie method of claim 1, wherein obtaining an address 
for the dynamically addressed mail server further comprises: 

contacting a second name server upon a failure to obtain ^ 
the address from said first secure name server. 

3. The method of claim 1, further comprising: 
automatically deleting the message after transmitting the 

message from said dynamically addressed mail server. 

4. A method for transferring messages on a computer 
network, comprising: 

establishing a link between an electronic mail server and 
a network; 

retrieving a dynamic address for said electronic mail 15 

server from a separate secure name server using a 

unique combination ID/password; 
establish a communication with said electronic mail 

server across said network; 
notifying said secure name server of said dynamic address 

of said electronic mail server; and 
thereafter discontinuing said communication between 

said electronic mail server and said secure name server. 

5. The method for transferring messages on a computer ^ 
network of claim 4, further comprising: 

establishing communication between a remote adminis- 
trator and said secure name server on said network; 

transferring said dynamic address of said electronic mail 
server from said secure name server to said remote 30 
administrator; 

discontinuing said communication between said secxu-e 
name server and said remote administrator. 

6. The method for transferring messages on a computer 
network of claim 5, further comprising: 

establishing a communication between said remote 

administrator and said secure electronic mail server 

across said network; 
updating ID/password combinations for accessing said ^ 

secure electronic mail server; 
discontinuing said communication between said remote 

administrator and said secure electronic mail server. 

7. The method of claim 6, further comprising: 
distributing said ID/password combinations to users of 45 

said network. 

8. The method of claim 7, further comprising: 
establi.shing a communication between a first user and 

said secure name server using a first unique 
ID/password combination; 
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transmitting said dynamic address of said secure elec- 
tronic mail server to said first user from said secure 
name server; 

discontinuing said communication between said first user 
and said secure name server. 

9. The method of claim 8, further comprising: 
establishing a connection between said first user and said 

secure electronic mail server; 
encrypting a message from said first user; 
transferring said message from said first user to said 

secure electronic mail server across said network; 
discontinuing the communication between said first user 

and said secure electronic mail server. 

10. The method of claim 9, further comprising: 
monitoring said secure electronic mail server by a second 

user; 

notifying said second user that a message is waiting for 

said second user; 
transferring said message from said secure electronic mail 

server to said second user; 
discontinuing said connection between said second user 

and said electronic mail server. 

11. A method for transferring messages on a computer 
network, comprising: 

establishing a link between an electronic mail server and 
a network; 

retrieving a dynamic address for said electronic mail 
server from a separate secure name server using a 
unique combination ID/password; 

establishing a communication with said electronic mail 
server across said network; 

notifying said secure name server of said dynamic address 
of said electronic mail server; 

thereafter discontinuing said communication between 
said electronic mail server and said secure name server; 

establishing a communication between a first user and 
said secure name server using a first unique combina- 
tion ID/password; 

transmitting said dynamic address of said secure elec- 
tronic mail server to said first user from said secure 
name server; and 

discontinuing said communication between said first user 
and said secure name server. 

***** 



